Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: postcard.gif.exe; virus numbers!; IE7.beta warez bugged; Black Tuesday: be prepared - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
postcard.gif.exe; virus numbers!; IE7.beta warez bugged; Black Tuesday: be prepared

Thanks Chris!



Chris sent us some packets, which fellow handler George Bakos took and discovered what looks like a weird bug out of in some equipment. We've notified the vendor and will follow up on it but promised to keep it under wraps till appropriate to speak about it.
If it turns out to be more widespread than it appears now, we might decide to
act otherwise at such time.

So please, do send it weird unexplained packets, some of us eat them for breakfast.

You'll be making the Internet a better place. This is also why Chris deserves his 5 minutes of fame.

postcard.gif.exe



Ian sent in the incoming email of some spam claiming to be a postcard and an analysis he did of the referenced critter.
A virustotal scan I ran later today has the usual diverse names. Moreover it gets that void look in the eye of some anti-virus software.

Scan results
File: postcard.gif.exe
Date: 08/07/2005 21:09:18 (CET)
----
AntiVir 6.31.1.0/20050807 found [BDS/Zapchast.2]
Avast 4.6.695.0/20050805 found [Win32:Jeefo]
AVG 718/20050807 found [Win32/Hidrag.A]
Avira 6.31.1.0/20050805 found nothing
BitDefender 7.0/20050807 found [Trojan.Zapchas.F]
CAT-QuickHeal 7.03/20050807 found nothing
ClamAV devel-20050725/20050807 found [W32.Jeefo]
DrWeb 4.32b/20050807 found [Win32.HLLP.Jeefo.36352]
eTrust-Iris 7.1.194.0/20050806 found nothing
eTrust-Vet 11.9.1.0/20050805 found nothing
Fortinet 2.36.0.0/20050805 found [IRC/Zapchast.4D53-bdr]
F-Prot 3.16c/20050805 found nothing
Ikarus 0.2.59.0/20050805 found nothing
Kaspersky 4.0.2.24/20050807 found [Backdoor.IRC.Cloner.ae]
McAfee 4551/20050805 found [Generic component]
NOD32v2 1.1187/20050805 found [IRC/Cloner.AS]
Norman 5.70.10/20050805 found nothing
Panda 8.02.00/20050807 found [W32/Jeefo]
Sophos 3.96.0/20050807 found [W32/Jeefo-A]
Sybari 7.5.1314/20050807 found [Backdoor.IRC.Cloner.ae]
Symantec 8.0/20050806 found nothing
TheHacker 5.8.2.081/20050807 found [Trojan/Downloader.IstBar.gen]
VBA32 3.10.4/20050805 found [Backdoor.IRC.Zapchast]

There goes my faith in anti-virus software. Just kidding. Those folks are fighting an uphill battle that is by nature reactive as the bad guys have their tools just as we do.

So what more than to run a different brand of anti-virus software in the perimeter and on the desktop can you do ?

Start with user education. Some awareness training will do wonders.

Next make sure all windows desktops/laptops that are rolled out are set up to show extensions of all files so that the user does in fact have a chance to see the real name and get alarmed by the *.gif.exe once they went to that training telling them they'll get punished if they click on anything that looks like that.

Finally, try to filter messages where the formatting is such that the URL that the "a" tag refers to is different from the apparent URL inside the tag. Those message should be quarantined. Also avoid all of those double extension attachments and downloads whenever possible into an environment that is file extension sensitive such as windows.

Virus numbers!



The thing with these differing names for a single virus though is simply put: why do you need them? Well they are good to talk to somebody else. E.g. Melissa rings a bell doesn't it. But as the example above shows these names lead to nothing but confusion. "Yeah, I got to clean Jeefo."; "Good luck with that one, I just cleaned Zapchas.". Let alone the numbering/lettering used for the variants. Once these get beyond B it seems as if some count faster than others. This lack of sync causes people to only remember the name, not the version. But the payload, impact, clean up, ... of a virus can be quite different between these variants causing even more confusion.

So we could continue to argue -as customers- with our vendors and demand they synchronize it. Tried that, apparently it still doesn't work all that well in the real world, despite promises to the contrary.

The other thing with virus names is that it creates the chances for fame and glory for the author. "I wrote Mellissa" (no I didn't, but you'll get the meaning) is much more of an interesting statement at some hacker convention than "I wrote CXN-2001-0041".

So here goes my suggestion for you to like or dislike: Let's -as customers- demand that our suppliers switch to a system like the one used for vulnerabilities:

- CXN: Common eXploit Number

- CXC: Common eXploit Candidate

Once a CXN is issued everybody switches their CXC to a CXN. A CXN is exactly one variant of one exploit (such as a virus), proven by samples kept by that central ly.

Let's demand the vendors fund a little 3rd party organization that keeps the numbers in sync and if they are smart they can learn to share descriptions and the like (which do cost a lot of money to produce and gain us little as to exactly who made them as long as they are good enough).

At the same time the Internet at large gets rid of the fame and glory of the authors having a recognizable hook to get their trash in the press for their 15 minutes of fame.

Yes I'm taking the step to sweep viruses/worms/trojans/... all into a single "exploit" bin. It only makes sense as it all grows to the same thing anyway.

The next logical step would be to link exploits to vulnerabilities and there you have the birth of a relational database. That database could (eventually) expand to include vendor info such as which version is vulnerable, and what patch stops the vulnerability, creating a link between e.g. the IDS seeing an exploit and the admin relaxing as he sees the patch has already been deployed site wide for the associated vulnerability, and that the anti-virus reports it stopped it as well.

In Dutch there is a saying "hoop doet leven". It is hard to translate, but literally it is something like "hope makes living". But I'm not expecting the vendors to be thrilled about it. FUD does sell products in our field.

IE7.beta warez bugged?



Microsoft is rightfully restricting downloads of IE7's beta release. This creates a market for warez versions and Craig reported that one of those was bugged with spyware. It's a big download and a big thing to search through, so it's not (yet) confirmed by us.

But the generic advice to stay away from warez is easy to make. Aside from the legalities and ethics, you do not know what you get in your hands. It might erase everything, send spam in your name, erase all network shares it has access to, ... or it might do as advertised. How will you know?
You do know you got it from people telling you they don't mind to break the law and provide you with an illegal copy of some piece of software.
Now, who do you trust?

Black Tuesday: be prepared!



Next Tuesday will be a Microsoft patch day. Probably this will be causing a lot of reboots throughout the world.

An anonymous reader pointed out this blog:
http://msmvps.com/bradley/archive/2005/07/28/59861.aspx
. It contains experiences of locked up machines that have older APC software and might cause it to hang during a reboot due to an expired cert in a java runtime environment. Perhaps some preparation will safeguard you from jumping to the "blame those new patches" conclusion.

update: another anonymous reader gave us this URL from APC:
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=7202
and which let us to find the writeup of sun on the issue at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101796-1&searchclause=101796
--

Swa Frantzen
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!